On August 1, 2017, the Senate introduced the proposed “Internet of Things (‘IoT’) Cybersecurity Improvement Act of 2017” (the “Act”) to establish, among other things, minimum cybersecurity standards for contractors who provide an array of connected devices to the federal government.
Introduced by Senators Mark Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Senators Ron Wyden (D-OR) and Steve Daines (R-MT), the core provisions of the Act would require the inclusion of specific clauses in procurement contracts with federal agencies for Internet-connected devices (e.g., smart phones and laptops), including a certification that the devices do not contain known security vulnerabilities or defects, are capable of being updated with new security patches, meet certain industry security standards, and do not contain any fixed or hard-coded credentials allowing remote access. To facilitate implementation and allow discretion to federal agencies, the Act provides for waiver of the minimum security requirements under certain circumstances, as well as recognition of alternative third-party security standards.
Senator Warner previously called for changes to connected device security in October 2016, when he wrote the FTC, FCC, and DHS in response to the Mirai botnet, a large-scale cyber-attack carried out by hackers who scanned the Internet for connected devices—such as routers and cameras—protected only by minimal factory-default passwords. With the IoT universe expected to include over 20 billion devices by 2020, Senator Warner expressed hope this week that the proposed legislation “will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.” While the Act would only apply to devices purchased by federal agencies, commentators such as Jonathan Zittrain of Harvard’s Berkman Klein Center for Internet & Society have applauded the Act’s use of “the power of the Federal procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ some basic security measures in their products.”
In addition to the minimum out-of-the-box security requirements for connected devices, the Act would also mandate that government procurement contracts include provisions requiring (1) the seller-contractor to notify the purchasing agency of subsequently discovered security vulnerabilities or defects; (2) the updating of software to address future vulnerabilities; and (3) in the event a software update cannot sufficiently remediate a vulnerability, the repair or replacement of the device.
Finally, a separate component of the Act would provide carve-outs to liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act for persons engaged in “good faith” research of the cybersecurity of an Internet-connected device provided by a contractor to a federal agency. These protections would allow independent researchers to conduct systems penetration testing and other research on the types of devices used by federal agencies to identify potential security vulnerabilities without running afoul of federal law.